

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
  <meta charset="utf-8" />
  
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  
  <title>用户管理 &mdash; Ceph Documentation</title>
  

  
  <link rel="stylesheet" href="../../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../../_static/graphviz.css" type="text/css" />
  <link rel="stylesheet" href="../../../_static/css/custom.css" type="text/css" />

  
  
    <link rel="shortcut icon" href="../../../_static/favicon.ico"/>
  

  
  

  

  
  <!--[if lt IE 9]>
    <script src="../../../_static/js/html5shiv.min.js"></script>
  <![endif]-->
  
    
      <script type="text/javascript" id="documentation_options" data-url_root="../../../" src="../../../_static/documentation_options.js"></script>
        <script src="../../../_static/jquery.js"></script>
        <script src="../../../_static/underscore.js"></script>
        <script src="../../../_static/doctools.js"></script>
    
    <script type="text/javascript" src="../../../_static/js/theme.js"></script>

    
    <link rel="index" title="Index" href="../../../genindex/" />
    <link rel="search" title="Search" href="../../../search/" />
    <link rel="next" title="修复 PG 不一致状态" href="../pg-repair/" />
    <link rel="prev" title="监控 OSD 和归置组" href="../monitoring-osd-pg/" /> 
</head>

<body class="wy-body-for-nav">

   
  <header class="top-bar">
    

















<div role="navigation" aria-label="breadcrumbs navigation">

  <ul class="wy-breadcrumbs">
    
      <li><a href="../../../" class="icon icon-home"></a> &raquo;</li>
        
          <li><a href="../../">Ceph 存储集群</a> &raquo;</li>
        
          <li><a href="../">集群运维</a> &raquo;</li>
        
      <li>用户管理</li>
    
    
      <li class="wy-breadcrumbs-aside">
        
          
            <a href="../../../_sources/rados/operations/user-management.rst.txt" rel="nofollow"> View page source</a>
          
        
      </li>
    
  </ul>

  
  <hr/>
</div>
  </header>
  <div class="wy-grid-for-nav">
    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search"  style="background: #eee" >
          

          
            <a href="../../../">
          

          
            
            <img src="../../../_static/logo.png" class="logo" alt="Logo"/>
          
          </a>

          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../../../search/" method="get">
    <input type="text" name="q" placeholder="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        
        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
              
            
            
              <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../../start/intro/">Ceph 简介</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../install/">安装 Ceph</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../cephadm/">Cephadm</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../../">Ceph 存储集群</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../../configuration/">配置</a></li>
<li class="toctree-l2 current"><a class="reference internal" href="../">运维</a><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="../operating/">操纵集群</a></li>
<li class="toctree-l3"><a class="reference internal" href="../health-checks/">健康检查</a></li>
<li class="toctree-l3"><a class="reference internal" href="../monitoring/">监控集群</a></li>
<li class="toctree-l3"><a class="reference internal" href="../monitoring-osd-pg/">监控 OSD 和归置组</a></li>
<li class="toctree-l3 current"><a class="current reference internal" href="#">用户管理</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#id2">背景</a></li>
<li class="toctree-l4"><a class="reference internal" href="#id8">用户的管理</a></li>
<li class="toctree-l4"><a class="reference internal" href="#id16">密钥环管理</a></li>
<li class="toctree-l4"><a class="reference internal" href="#id21">命令行用法</a></li>
<li class="toctree-l4"><a class="reference internal" href="#id22">局限性</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../pg-repair/">修复 PG 不一致状态</a></li>
<li class="toctree-l3"><a class="reference internal" href="../data-placement/">数据归置概览</a></li>
<li class="toctree-l3"><a class="reference internal" href="../pools/">存储池</a></li>
<li class="toctree-l3"><a class="reference internal" href="../erasure-code/">纠删码</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cache-tiering/">分级缓存</a></li>
<li class="toctree-l3"><a class="reference internal" href="../placement-groups/">归置组</a></li>
<li class="toctree-l3"><a class="reference internal" href="../balancer/">均衡器</a></li>
<li class="toctree-l3"><a class="reference internal" href="../upmap/">使用 pg-upmap</a></li>
<li class="toctree-l3"><a class="reference internal" href="../crush-map/">CRUSH 图</a></li>
<li class="toctree-l3"><a class="reference internal" href="../crush-map-edits/">手动编辑一个 CRUSH 图</a></li>
<li class="toctree-l3"><a class="reference internal" href="../stretch-mode/">Stretch Clusters</a></li>
<li class="toctree-l3"><a class="reference internal" href="../change-mon-elections/">Configure Monitor Election Strategies</a></li>
<li class="toctree-l3"><a class="reference internal" href="../add-or-rm-osds/">增加/删除 OSD</a></li>
<li class="toctree-l3"><a class="reference internal" href="../add-or-rm-mons/">增加/删除监视器</a></li>
<li class="toctree-l3"><a class="reference internal" href="../devices/">设备管理</a></li>
<li class="toctree-l3"><a class="reference internal" href="../bluestore-migration/">迁移到 BlueStore</a></li>
<li class="toctree-l3"><a class="reference internal" href="../control/">命令参考</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../troubleshooting/community/">Ceph 社区</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../troubleshooting/troubleshooting-mon/">监视器故障排除</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../troubleshooting/troubleshooting-osd/">OSD 故障排除</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../troubleshooting/troubleshooting-pg/">归置组排障</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../troubleshooting/log-and-debug/">日志记录和调试</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../troubleshooting/cpu-profiling/">CPU 剖析</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../troubleshooting/memory-profiling/">内存剖析</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../man/">    手册页</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../troubleshooting/">故障排除</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../api/">APIs</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../cephfs/">Ceph 文件系统</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../rbd/">Ceph 块设备</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../radosgw/">Ceph 对象网关</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../mgr/">Ceph 管理器守护进程</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../mgr/dashboard/">Ceph 仪表盘</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../api/">API 文档</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../architecture/">体系结构</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../dev/developer_guide/">开发者指南</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../dev/internals/">Ceph 内幕</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../governance/">项目管理</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../foundation/">Ceph 基金会</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../ceph-volume/">ceph-volume</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../releases/general/">Ceph 版本（总目录）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../releases/">Ceph 版本（索引）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../security/">Security</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../glossary/">Ceph 术语</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../jaegertracing/">Tracing</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../translation_cn/">中文版翻译资源</a></li>
</ul>

            
          
        </div>
        
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" aria-label="top navigation">
        
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../../../">Ceph</a>
        
      </nav>


      <div class="wy-nav-content">
        
        <div class="rst-content">
        
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
<div id="dev-warning" class="admonition note">
  <p class="first admonition-title">Notice</p>
  <p class="last">This document is for a development version of Ceph.</p>
</div>
  <div id="docubetter" align="right" style="padding: 5px; font-weight: bold;">
    <a href="https://pad.ceph.com/p/Report_Documentation_Bugs">Report a Documentation Bug</a>
  </div>

  
  <div class="section" id="user-management">
<span id="id1"></span><h1>用户管理<a class="headerlink" href="#user-management" title="Permalink to this headline">¶</a></h1>
<p>本文档叙述了 <a class="reference internal" href="../../../glossary/#term-35"><span class="xref std std-term">Ceph 客户端</span></a>的用户身份，及其与 <a class="reference internal" href="../../../glossary/#term-7"><span class="xref std std-term">Ceph 存储集群</span></a>的认证和授权。用户可以是个人或系统角色（像应用程序），它们用 Ceph 客户端和 Ceph 存储集群的守护进程们交互。</p>
<p>When Ceph runs with authentication and authorization enabled (enabled by
default), you must specify a user name and a keyring containing the secret key
of the specified user (usually via the command line). If you do not specify a
user name, Ceph will use <code class="docutils literal notranslate"><span class="pre">client.admin</span></code> as the default user name. If you do
not specify a keyring, Ceph will look for a keyring via the <code class="docutils literal notranslate"><span class="pre">keyring</span></code> setting
in the Ceph configuration. 例如, if you execute the <code class="docutils literal notranslate"><span class="pre">ceph</span> <span class="pre">health</span></code>
command without specifying a user or keyring:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="n">health</span>
</pre></div>
</div>
<p>Ceph interprets the command like this:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="o">-</span><span class="n">n</span> <span class="n">client</span><span class="o">.</span><span class="n">admin</span> <span class="o">--</span><span class="n">keyring</span><span class="o">=/</span><span class="n">etc</span><span class="o">/</span><span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">.</span><span class="n">client</span><span class="o">.</span><span class="n">admin</span><span class="o">.</span><span class="n">keyring</span> <span class="n">health</span>
</pre></div>
</div>
<p>另外，你也可以用 <code class="docutils literal notranslate"><span class="pre">CEPH_ARGS</span></code> 环境变量来避免多次输入用户名和密钥。</p>
<p>For details on configuring the Ceph Storage Cluster to use authentication,
see <a class="reference external" href="../../configuration/auth-config-ref">Cephx 配置参考</a>. For details on the architecture of Cephx, see
<a class="reference external" href="../../../architecture#high-availability-authentication">体系结构——高可用性认证</a>.</p>
<div class="section" id="id2">
<h2>背景<a class="headerlink" href="#id2" title="Permalink to this headline">¶</a></h2>
<p>Irrespective of the type of Ceph client (e.g., Block Device, Object Storage,
Filesystem, native API, etc.), Ceph stores all data as objects within <a class="reference external" href="../pools">pools</a>.
Ceph users must have access to pools in order to read and write data.
Additionally, Ceph users must have execute permissions to use Ceph’s
administrative commands. The following concepts will help you understand Ceph
user management.</p>
<div class="section" id="id3">
<h3>用户<a class="headerlink" href="#id3" title="Permalink to this headline">¶</a></h3>
<p>A user is either an individual or a system actor such as an application.
Creating users allows you to control who (or what) can access your Ceph Storage
Cluster, its pools, and the data within pools.</p>
<p>Ceph has the notion of a <code class="docutils literal notranslate"><span class="pre">type</span></code> of user. For the purposes of user management,
the type will always be <code class="docutils literal notranslate"><span class="pre">client</span></code>. Ceph identifies users in period (.)
delimited form consisting of the user type and the user ID: for example,
<code class="docutils literal notranslate"><span class="pre">TYPE.ID</span></code>, <code class="docutils literal notranslate"><span class="pre">client.admin</span></code>, or <code class="docutils literal notranslate"><span class="pre">client.user1</span></code>. The reason for user typing
is that Ceph Monitors, OSDs, and Metadata Servers also use the Cephx protocol,
but they are not clients. Distinguishing the user type helps to distinguish
between client users and other users–streamlining access control, user
monitoring and traceability.</p>
<p>Sometimes Ceph’s user type may seem confusing, because the Ceph command line
allows you to specify a user with or without the type, depending upon your
command line usage. If you specify <code class="docutils literal notranslate"><span class="pre">--user</span></code> or <code class="docutils literal notranslate"><span class="pre">--id</span></code>, you can omit the
type. So <code class="docutils literal notranslate"><span class="pre">client.user1</span></code> can be entered simply as <code class="docutils literal notranslate"><span class="pre">user1</span></code>. If you specify
<code class="docutils literal notranslate"><span class="pre">--name</span></code> or <code class="docutils literal notranslate"><span class="pre">-n</span></code>, you must specify the type and name, such as
<code class="docutils literal notranslate"><span class="pre">client.user1</span></code>. We recommend using the type and name as a best practice
wherever possible.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>A Ceph Storage Cluster user is not the same as a Ceph Object Storage
user or a Ceph Filesystem user. The Ceph Object Gateway uses a Ceph Storage
Cluster user to communicate between the gateway daemon and the storage
cluster, but the gateway has its own user management functionality for end
users. The Ceph Filesystem uses POSIX semantics. The user space associated
with the Ceph Filesystem is not the same as a Ceph Storage Cluster user.</p>
</div>
</div>
<div class="section" id="id4">
<h3>授权（能力）<a class="headerlink" href="#id4" title="Permalink to this headline">¶</a></h3>
<p>Ceph 用能力（ capabilities, caps ）这个术语来描述给已认证用户的授权，
这样才能使用监视器、 OSD 、和元数据服务器的功能。
能力也用于限制对一存储池内的数据、存储池内某个名字空间、
或由应用标签所标识的一系列存储池的访问。
Ceph 的管理用户可在创建或更新某用户时赋予他能力。</p>
<p>能力的语法符合下面的形式：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">{</span><span class="n">daemon</span><span class="o">-</span><span class="nb">type</span><span class="p">}</span> <span class="s1">&#39;{cap-spec}[, {cap-spec} ...]&#39;</span>
</pre></div>
</div>
<ul>
<li><p><strong>监视器能力：</strong> 监视器能力包括 <code class="docutils literal notranslate"><span class="pre">r</span></code> 、 <code class="docutils literal notranslate"><span class="pre">w</span></code> 、 <code class="docutils literal notranslate"><span class="pre">x</span></code> 访问选项或 <code class="docutils literal notranslate"><span class="pre">profile</span> <span class="pre">{name}</span></code> ，例如：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">mon</span> <span class="s1">&#39;allow {access-spec} [network {network/prefix}]&#39;</span>

<span class="n">mon</span> <span class="s1">&#39;profile </span><span class="si">{name}</span><span class="s1">&#39;</span>
</pre></div>
</div>
<p><code class="docutils literal notranslate"><span class="pre">{access-spec}</span></code> 语法如下：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">*</span> <span class="o">|</span> <span class="nb">all</span> <span class="o">|</span> <span class="p">[</span><span class="n">r</span><span class="p">][</span><span class="n">w</span><span class="p">][</span><span class="n">x</span><span class="p">]</span>
</pre></div>
</div>
<p>可选项 <code class="docutils literal notranslate"><span class="pre">{network/prefix}</span></code> 是个标准网络名和前缀长度（
CIDR 表示法，如 <code class="docutils literal notranslate"><span class="pre">10.3.0.0/16</span></code> ）。如果设置了，此能力就仅限于从这个网络连接过来的客户端。</p>
</li>
<li><p><strong>OSD 能力：</strong> OSD 能力包括 <code class="docutils literal notranslate"><span class="pre">r</span></code> 、 <code class="docutils literal notranslate"><span class="pre">w</span></code> 、 <code class="docutils literal notranslate"><span class="pre">x</span></code> 、 <code class="docutils literal notranslate"><span class="pre">class-read</span></code> 、 <code class="docutils literal notranslate"><span class="pre">class-write</span></code> 访问选项和 <code class="docutils literal notranslate"><span class="pre">profile</span> <span class="pre">{name}</span></code> 。
另外， OSD 能力还支持存储池和命名空间的配置。</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">osd</span> <span class="s1">&#39;allow {access-spec} [{match-spec}] [network {network/prefix}]&#39;</span>

<span class="n">osd</span> <span class="s1">&#39;profile </span><span class="si">{name}</span><span class="s1"> [pool={pool-name} [namespace={namespace-name}]] [network {network/prefix}]&#39;</span>
</pre></div>
</div>
<p>其中， <code class="docutils literal notranslate"><span class="pre">{access-spec}</span></code> 语法是下列之一：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>* | all | [r][w][x] [class-read] [class-write]

class {class name} [{method name}]
</pre></div>
</div>
<p>可选的 <code class="docutils literal notranslate"><span class="pre">{match-spec}</span></code> 语法是下列之一：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">pool</span><span class="o">=</span><span class="p">{</span><span class="n">pool</span><span class="o">-</span><span class="n">name</span><span class="p">}</span> <span class="p">[</span><span class="n">namespace</span><span class="o">=</span><span class="p">{</span><span class="n">namespace</span><span class="o">-</span><span class="n">name</span><span class="p">}]</span> <span class="p">[</span><span class="n">object_prefix</span> <span class="p">{</span><span class="n">prefix</span><span class="p">}]</span>

<span class="p">[</span><span class="n">namespace</span><span class="o">=</span><span class="p">{</span><span class="n">namespace</span><span class="o">-</span><span class="n">name</span><span class="p">}]</span> <span class="n">tag</span> <span class="p">{</span><span class="n">application</span><span class="p">}</span> <span class="p">{</span><span class="n">key</span><span class="p">}</span><span class="o">=</span><span class="p">{</span><span class="n">value</span><span class="p">}</span>
</pre></div>
</div>
<p>可选的 <code class="docutils literal notranslate"><span class="pre">{network/prefix}</span></code> 是一个标准网络名、且前缀长度遵循
CIDR 表示法（如 <code class="docutils literal notranslate"><span class="pre">10.3.0.0/16</span></code> ）。如果配置了，对此能力的使用就仅限于从这个网络连入的客户端。</p>
</li>
<li><p><strong>Manager Caps:</strong> Manager (<code class="docutils literal notranslate"><span class="pre">ceph-mgr</span></code>) capabilities include
<code class="docutils literal notranslate"><span class="pre">r</span></code>, <code class="docutils literal notranslate"><span class="pre">w</span></code>, <code class="docutils literal notranslate"><span class="pre">x</span></code> access settings or <code class="docutils literal notranslate"><span class="pre">profile</span> <span class="pre">{name}</span></code>. 例如:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">mgr</span> <span class="s1">&#39;allow {access-spec} [network {network/prefix}]&#39;</span>

<span class="n">mgr</span> <span class="s1">&#39;profile </span><span class="si">{name}</span><span class="s1"> [</span><span class="si">{key1}</span><span class="s1"> {match-type} </span><span class="si">{value1}</span><span class="s1"> ...] [network {network/prefix}]&#39;</span>
</pre></div>
</div>
<p>Manager capabilities can also be specified for specific commands,
all commands exported by a built-in manager service, or all commands
exported by a specific add-on module. 例如:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">mgr</span> <span class="s1">&#39;allow command &quot;{command-prefix}&quot; [with </span><span class="si">{key1}</span><span class="s1"> {match-type} </span><span class="si">{value1}</span><span class="s1"> ...] [network {network/prefix}]&#39;</span>

<span class="n">mgr</span> <span class="s1">&#39;allow service {service-name} {access-spec} [network {network/prefix}]&#39;</span>

<span class="n">mgr</span> <span class="s1">&#39;allow module {module-name} [with </span><span class="si">{key1}</span><span class="s1"> {match-type} </span><span class="si">{value1}</span><span class="s1"> ...] {access-spec} [network {network/prefix}]&#39;</span>
</pre></div>
</div>
<p>The <code class="docutils literal notranslate"><span class="pre">{access-spec}</span></code> syntax is as follows:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">*</span> <span class="o">|</span> <span class="nb">all</span> <span class="o">|</span> <span class="p">[</span><span class="n">r</span><span class="p">][</span><span class="n">w</span><span class="p">][</span><span class="n">x</span><span class="p">]</span>
</pre></div>
</div>
<p>The <code class="docutils literal notranslate"><span class="pre">{service-name}</span></code> is one of the following:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">mgr</span> <span class="o">|</span> <span class="n">osd</span> <span class="o">|</span> <span class="n">pg</span> <span class="o">|</span> <span class="n">py</span>
</pre></div>
</div>
<p>The <code class="docutils literal notranslate"><span class="pre">{match-type}</span></code> is one of the following:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">=</span> <span class="o">|</span> <span class="n">prefix</span> <span class="o">|</span> <span class="n">regex</span>
</pre></div>
</div>
</li>
<li><p><strong>元数据服务器能力：</strong> 对于管理员，设置 <code class="docutils literal notranslate"><span class="pre">allow</span> <span class="pre">*</span></code> 。
对于其它的所有用户，如 CephFS 客户端，参考 <a class="reference internal" href="../../../cephfs/client-auth/"><span class="doc">CephFS 客户端能力</span></a> 。</p></li>
</ul>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Ceph 对象网关守护进程（ <code class="docutils literal notranslate"><span class="pre">radosgw</span></code> ）是 Ceph 存储集群的一种客户端，所以它没被表示成一种独立的 Ceph 存储集群守护进程类型。</p>
</div>
<p>下面描述了各种访问能力。</p>
<p><code class="docutils literal notranslate"><span class="pre">allow</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">描述</dt>
<dd class="field-odd"><p>在守护进程的访问设置之前，仅对 MDS 隐含 <code class="docutils literal notranslate"><span class="pre">rw</span></code> 。</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">r</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">描述</dt>
<dd class="field-odd"><p>授予用户读权限，监视器需要它才能搜刮 CRUSH 图。</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">w</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">描述</dt>
<dd class="field-odd"><p>授予用户写对象的权限。</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">x</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">描述</dt>
<dd class="field-odd"><p>授予用户调用类方法的能力，即同时有读和写，且能在监视器上执行 <code class="docutils literal notranslate"><span class="pre">auth</span></code> 操作。</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">class-read</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">描述</dt>
<dd class="field-odd"><p>授予用户调用类读取方法的能力， <code class="docutils literal notranslate"><span class="pre">x</span></code> 的子集。</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">class-write</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">描述</dt>
<dd class="field-odd"><p>授予用户调用类写入方法的能力， <code class="docutils literal notranslate"><span class="pre">x</span></code> 的子集。</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">*</span></code>, <code class="docutils literal notranslate"><span class="pre">all</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">描述</dt>
<dd class="field-odd"><p>授权此用户读、写和执行某守护进程/存储池，且允许执行管理命令。</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">profile</span> <span class="pre">osd</span></code> （仅用于监视器）</p>
<dl class="field-list simple">
<dt class="field-odd">描述</dt>
<dd class="field-odd"><p>授权一个用户以 OSD 身份连接其它 OSD 或监视器。授予 OSD 们允许其它 OSD 处理复制、心跳流量和状态报告。</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">profile</span> <span class="pre">mds</span></code> （仅用于监视器）</p>
<dl class="field-list simple">
<dt class="field-odd">描述</dt>
<dd class="field-odd"><p>授权一个用户以 MDS 身份连接其它 MDS 或监视器。</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">profile</span> <span class="pre">bootstrap-osd</span></code> （仅用于监视器）</p>
<dl class="field-list simple">
<dt class="field-odd">描述</dt>
<dd class="field-odd"><p>授权一用户自举引导 OSD 的权限。授予部署工具，像 <code class="docutils literal notranslate"><span class="pre">ceph-volume</span></code> 、 <code class="docutils literal notranslate"><span class="pre">cephadm</span></code> 等等，这样它们在自举引导 OSD 时就有权限增加密钥了。</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">profile</span> <span class="pre">bootstrap-mds</span></code> （仅用于监视器）</p>
<dl class="field-list simple">
<dt class="field-odd">描述</dt>
<dd class="field-odd"><p>授权一用户自举引导元数据服务器的权限。授予像
<code class="docutils literal notranslate"><span class="pre">cephadm</span></code> 一样的部署工具，这样它们在自举引导元数据服务器时就有权限增加密钥了。</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">profile</span> <span class="pre">bootstrap-rbd</span></code> （仅用于监视器）</p>
<dl class="field-list simple">
<dt class="field-odd">描述</dt>
<dd class="field-odd"><p>授予一用户自举引导 RBD 用户的权限。比如对于
<code class="docutils literal notranslate"><span class="pre">cephadm</span></code> 之类的工具，让它们在自举引导一个
RBD 用户时有权限新增密钥等等。</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">profile</span> <span class="pre">bootstrap-rbd-mirror</span></code> （仅用于监视器）</p>
<dl class="field-list simple">
<dt class="field-odd">描述</dt>
<dd class="field-odd"><p>Gives a user permissions to bootstrap an <code class="docutils literal notranslate"><span class="pre">rbd-mirror</span></code> daemon
user. Conferred on deployment tools such as <code class="docutils literal notranslate"><span class="pre">cephadm</span></code>, etc.
so they have permissions to add keys, etc. when bootstrapping
an <code class="docutils literal notranslate"><span class="pre">rbd-mirror</span></code> daemon.</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">profile</span> <span class="pre">rbd</span></code> （用于管理器、监视器和 OSD ）</p>
<dl class="field-list simple">
<dt class="field-odd">描述</dt>
<dd class="field-odd"><p>Gives a user permissions to manipulate RBD images. When used
as a Monitor cap, it provides the minimal privileges required
by an RBD client application; this includes the ability
to blocklist other client users. When used as an OSD cap, it
provides read-write access to the specified pool to an
RBD client application. The Manager cap supports optional
<code class="docutils literal notranslate"><span class="pre">pool</span></code> and <code class="docutils literal notranslate"><span class="pre">namespace</span></code> keyword arguments.</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">profile</span> <span class="pre">rbd-mirror</span></code> （仅用于监视器）</p>
<dl class="field-list simple">
<dt class="field-odd">描述</dt>
<dd class="field-odd"><p>Gives a user permissions to manipulate RBD images and retrieve
RBD mirroring config-key secrets. It provides the minimal
privileges required for the <code class="docutils literal notranslate"><span class="pre">rbd-mirror</span></code> daemon.</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">profile</span> <span class="pre">rbd-read-only</span></code> （管理器和 OSD ）</p>
<dl class="field-list simple">
<dt class="field-odd">描述</dt>
<dd class="field-odd"><p>授予一个用户访问 RBD 映像的只读权限。 Manager 能力支持可选关键字参数 <code class="docutils literal notranslate"><span class="pre">pool</span></code> 和 <code class="docutils literal notranslate"><span class="pre">namespace</span></code> 。</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">profile</span> <span class="pre">simple-rados-client</span></code> (Monitor only)</p>
<dl class="field-list simple">
<dt class="field-odd">Description</dt>
<dd class="field-odd"><p>Gives a user read-only permissions for monitor, OSD, and PG data.
Intended for use by direct librados client applications.</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">profile</span> <span class="pre">simple-rados-client-with-blocklist</span></code> (Monitor only)</p>
<dl class="field-list simple">
<dt class="field-odd">Description</dt>
<dd class="field-odd"><p>Gives a user read-only permissions for monitor, OSD, and PG data.
Intended for use by direct librados client applications. Also
includes permission to add blocklist entries to build HA
applications.</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">profile</span> <span class="pre">fs-client</span></code> (Monitor only)</p>
<dl class="field-list simple">
<dt class="field-odd">Description</dt>
<dd class="field-odd"><p>Gives a user read-only permissions for monitor, OSD, PG, and MDS
data.  Intended for CephFS clients.</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">profile</span> <span class="pre">role-definer</span></code> (Monitor and Auth)</p>
<dl class="field-list simple">
<dt class="field-odd">Description</dt>
<dd class="field-odd"><p>Gives a user <strong>all</strong> permissions for the auth subsystem, read-only
access to monitors, and nothing else.  Useful for automation
tools.  Do not assign this unless you really, <strong>really</strong> know what
you’re doing as the security ramifications are substantial and
pervasive.</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">profile</span> <span class="pre">crash</span></code> (Monitor and MGR)</p>
<dl class="field-list simple">
<dt class="field-odd">Description</dt>
<dd class="field-odd"><p>Gives a user read-only access to monitors, used in conjunction
with the manager <code class="docutils literal notranslate"><span class="pre">crash</span></code> module to upload daemon crash
dumps into monitor storage for later analysis.</p>
</dd>
</dl>
</div>
<div class="section" id="id5">
<h3>存储池<a class="headerlink" href="#id5" title="Permalink to this headline">¶</a></h3>
<p>存储池是用户存储数据的逻辑分区。在 Ceph 部署中，经常创建存储池作为逻辑分区、用以归类相似的数据。例如，用 Ceph 作为 OpenStack 的后端时，典型的部署通常会创建多个存储池，分别用于存储卷宗、映像、备份和虚拟机，以及用户（如 <code class="docutils literal notranslate"><span class="pre">client.glance</span></code> 、 <code class="docutils literal notranslate"><span class="pre">client.cinder</span></code> 等）。</p>
</div>
<div class="section" id="id6">
<h3>应用程序标签<a class="headerlink" href="#id6" title="Permalink to this headline">¶</a></h3>
<p>可以将访问限定于指定存储池，正如其应用程序元数据所定义的那样。通配符 <code class="docutils literal notranslate"><span class="pre">*</span></code> 可以用于 <code class="docutils literal notranslate"><span class="pre">key</span></code> 参数、 <code class="docutils literal notranslate"><span class="pre">value</span></code> 参数、或二者。
<code class="docutils literal notranslate"><span class="pre">all</span></code> 与 <code class="docutils literal notranslate"><span class="pre">*</span></code> 同义。</p>
</div>
<div class="section" id="id7">
<h3>命名空间<a class="headerlink" href="#id7" title="Permalink to this headline">¶</a></h3>
<p>Objects within a pool can be associated to a namespace–a logical group of
objects within the pool. A user’s access to a pool can be associated with a
namespace such that reads and writes by the user take place only within the
namespace. Objects written to a namespace within the pool can only be accessed
by users who have access to the namespace.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>命名空间主要适用于 <code class="docutils literal notranslate"><span class="pre">librados</span></code> 之上的应用程序，逻辑分组可减少新建存储池的必要。 Ceph 对象网关（从
<code class="docutils literal notranslate"><span class="pre">luminous</span></code> 起）就把命名空间用于各种元数据对象。</p>
</div>
<p>The rationale for namespaces is that pools can be a computationally expensive
method of segregating data sets for the purposes of authorizing separate sets
of users. 例如, a pool should have ~100 placement groups per OSD. So an
exemplary cluster with 1000 OSDs would have 100,000 placement groups for one
pool. Each pool would create another 100,000 placement groups in the exemplary
cluster. By contrast, writing an object to a namespace simply associates the
namespace to the object name with out the computational overhead of a separate
pool. Rather than creating a separate pool for a user or set of users, you may
use a namespace. <strong>Note:</strong> Only available using <code class="docutils literal notranslate"><span class="pre">librados</span></code> at this time.</p>
<p>用 <code class="docutils literal notranslate"><span class="pre">namespace</span></code> 能力可以把访问权限局限于特定的 RADOS 命名空间。命名空间支持有限的通配；如果指定的命名空间最后一个字符是 <code class="docutils literal notranslate"><span class="pre">*</span></code> ，那就把访问权限授予所有以所提供参数打头的命名空间。</p>
</div>
</div>
<div class="section" id="id8">
<h2>用户的管理<a class="headerlink" href="#id8" title="Permalink to this headline">¶</a></h2>
<p>用户管理功能赋予 Ceph 存储集群管理员直接从 Ceph 存储集群创建、更新和删除用户的能力。</p>
<p>当你在 Ceph 存储集群中创建或删除用户时，可能得把密钥分发到各客户端，以便加入他们的密钥环。详情见<a class="reference internal" href="#id16">密钥环管理</a>。</p>
<div class="section" id="id9">
<h3>罗列用户<a class="headerlink" href="#id9" title="Permalink to this headline">¶</a></h3>
<p>罗列集群内的用户，用下列命令：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="n">auth</span> <span class="n">ls</span>
</pre></div>
</div>
<p>Ceph 将列出集群内的所有用户。例如，在一个双节点示例集群中，
<code class="docutils literal notranslate"><span class="pre">ceph</span> <span class="pre">auth</span> <span class="pre">ls</span></code> 会显示类似如下的内容：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">installed</span> <span class="n">auth</span> <span class="n">entries</span><span class="p">:</span>

<span class="n">osd</span><span class="mf">.0</span>
        <span class="n">key</span><span class="p">:</span> <span class="n">AQCvCbtToC6MDhAATtuT70Sl</span><span class="o">+</span><span class="n">DymPCfDSsyV4w</span><span class="o">==</span>
        <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">mon</span><span class="p">]</span> <span class="n">allow</span> <span class="n">profile</span> <span class="n">osd</span>
        <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">osd</span><span class="p">]</span> <span class="n">allow</span> <span class="o">*</span>
<span class="n">osd</span><span class="mf">.1</span>
        <span class="n">key</span><span class="p">:</span> <span class="n">AQC4CbtTCFJBChAAVq5spj0ff4eHZICxIOVZeA</span><span class="o">==</span>
        <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">mon</span><span class="p">]</span> <span class="n">allow</span> <span class="n">profile</span> <span class="n">osd</span>
        <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">osd</span><span class="p">]</span> <span class="n">allow</span> <span class="o">*</span>
<span class="n">client</span><span class="o">.</span><span class="n">admin</span>
        <span class="n">key</span><span class="p">:</span> <span class="n">AQBHCbtT6APDHhAA5W00cBchwkQjh3dkKsyPjw</span><span class="o">==</span>
        <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">mds</span><span class="p">]</span> <span class="n">allow</span>
        <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">mon</span><span class="p">]</span> <span class="n">allow</span> <span class="o">*</span>
        <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">osd</span><span class="p">]</span> <span class="n">allow</span> <span class="o">*</span>
<span class="n">client</span><span class="o">.</span><span class="n">bootstrap</span><span class="o">-</span><span class="n">mds</span>
        <span class="n">key</span><span class="p">:</span> <span class="n">AQBICbtTOK9uGBAAdbe5zcIGHZL3T</span><span class="o">/</span><span class="n">u2g6EBww</span><span class="o">==</span>
        <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">mon</span><span class="p">]</span> <span class="n">allow</span> <span class="n">profile</span> <span class="n">bootstrap</span><span class="o">-</span><span class="n">mds</span>
<span class="n">client</span><span class="o">.</span><span class="n">bootstrap</span><span class="o">-</span><span class="n">osd</span>
        <span class="n">key</span><span class="p">:</span> <span class="n">AQBHCbtT4GxqORAADE5u7RkpCN</span><span class="o">/</span><span class="n">oo4e5W0uBtw</span><span class="o">==</span>
        <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">mon</span><span class="p">]</span> <span class="n">allow</span> <span class="n">profile</span> <span class="n">bootstrap</span><span class="o">-</span><span class="n">osd</span>
</pre></div>
</div>
<p>注意， <code class="docutils literal notranslate"><span class="pre">TYPE.ID</span></code> 写法对于用户来说，如 <code class="docutils literal notranslate"><span class="pre">osd.0</span></code> 表示用户类型是 <code class="docutils literal notranslate"><span class="pre">osd</span></code> 、其 ID 是 <code class="docutils literal notranslate"><span class="pre">0</span></code> ； <code class="docutils literal notranslate"><span class="pre">client.admin</span></code> 是一个用户类型为 <code class="docutils literal notranslate"><span class="pre">client</span></code> 、 ID 为 <code class="docutils literal notranslate"><span class="pre">admin</span></code> （即默认的 <code class="docutils literal notranslate"><span class="pre">client.admin</span></code>
用户）。还有，每条都有一行 <code class="docutils literal notranslate"><span class="pre">key:</span> <span class="pre">&lt;value&gt;</span></code> 条目、和一或多行
<code class="docutils literal notranslate"><span class="pre">caps:</span></code> 条目。</p>
<p>你可以给 <code class="docutils literal notranslate"><span class="pre">ceph</span> <span class="pre">auth</span> <span class="pre">ls</span></code> 加上 <code class="docutils literal notranslate"><span class="pre">-o</span> <span class="pre">{filename}</span></code> 选项，把输出保存到一个文件。</p>
</div>
<div class="section" id="id10">
<h3>获取用户<a class="headerlink" href="#id10" title="Permalink to this headline">¶</a></h3>
<p>要检索某个特定的用户、密钥及其能力，用此命令:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="n">auth</span> <span class="n">get</span> <span class="p">{</span><span class="n">TYPE</span><span class="o">.</span><span class="n">ID</span><span class="p">}</span>
</pre></div>
</div>
<p>例如:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="n">auth</span> <span class="n">get</span> <span class="n">client</span><span class="o">.</span><span class="n">admin</span>
</pre></div>
</div>
<p>你可以给 <code class="docutils literal notranslate"><span class="pre">ceph</span> <span class="pre">auth</span> <span class="pre">get</span></code> 命令加 <code class="docutils literal notranslate"><span class="pre">-o</span> <span class="pre">{filename}</span></code> 选项，
这样就把输出保存到文件。开发者还可以执行:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="n">auth</span> <span class="n">export</span> <span class="p">{</span><span class="n">TYPE</span><span class="o">.</span><span class="n">ID</span><span class="p">}</span>
</pre></div>
</div>
<p><code class="docutils literal notranslate"><span class="pre">auth</span> <span class="pre">export</span></code> 命令等价于 <code class="docutils literal notranslate"><span class="pre">auth</span> <span class="pre">get</span></code> 。</p>
</div>
<div class="section" id="id11">
<h3>新增用户<a class="headerlink" href="#id11" title="Permalink to this headline">¶</a></h3>
<p>Adding a user creates a username (i.e., <code class="docutils literal notranslate"><span class="pre">TYPE.ID</span></code>), a secret key and
any capabilities included in the command you use to create the user.</p>
<p>A user’s key enables the user to authenticate with the Ceph Storage Cluster.
The user’s capabilities authorize the user to read, write, or execute on Ceph
monitors (<code class="docutils literal notranslate"><span class="pre">mon</span></code>), Ceph OSDs (<code class="docutils literal notranslate"><span class="pre">osd</span></code>) or Ceph Metadata  Servers (<code class="docutils literal notranslate"><span class="pre">mds</span></code>).</p>
<p>There are a few ways to add a user:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">ceph</span> <span class="pre">auth</span> <span class="pre">add</span></code>: This command is the canonical way to add a user. It
will create the user, generate a key and add any specified capabilities.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">ceph</span> <span class="pre">auth</span> <span class="pre">get-or-create</span></code>: This command is often the most convenient way
to create a user, because it returns a keyfile format with the user name
(in brackets) and the key. If the user already exists, this command
simply returns the user name and key in the keyfile format. You may use the
<code class="docutils literal notranslate"><span class="pre">-o</span> <span class="pre">{filename}</span></code> option to save the output to a file.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">ceph</span> <span class="pre">auth</span> <span class="pre">get-or-create-key</span></code>: This command is a convenient way to create
a user and return the user’s key (only). This is useful for clients that
need the key only (e.g., libvirt). If the user already exists, this command
simply returns the key. You may use the <code class="docutils literal notranslate"><span class="pre">-o</span> <span class="pre">{filename}</span></code> option to save the
output to a file.</p></li>
</ul>
<p>When creating client users, you may create a user with no capabilities. A user
with no capabilities is useless beyond mere authentication, because the client
cannot retrieve the cluster map from the monitor. However, you can create a
user with no capabilities if you wish to defer adding capabilities later using
the <code class="docutils literal notranslate"><span class="pre">ceph</span> <span class="pre">auth</span> <span class="pre">caps</span></code> command.</p>
<p>A typical user has at least read capabilities on the Ceph monitor and
read and write capability on Ceph OSDs. Additionally, a user’s OSD permissions
are often restricted to accessing a particular pool.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="n">auth</span> <span class="n">add</span> <span class="n">client</span><span class="o">.</span><span class="n">john</span> <span class="n">mon</span> <span class="s1">&#39;allow r&#39;</span> <span class="n">osd</span> <span class="s1">&#39;allow rw pool=liverpool&#39;</span>
<span class="n">ceph</span> <span class="n">auth</span> <span class="n">get</span><span class="o">-</span><span class="ow">or</span><span class="o">-</span><span class="n">create</span> <span class="n">client</span><span class="o">.</span><span class="n">paul</span> <span class="n">mon</span> <span class="s1">&#39;allow r&#39;</span> <span class="n">osd</span> <span class="s1">&#39;allow rw pool=liverpool&#39;</span>
<span class="n">ceph</span> <span class="n">auth</span> <span class="n">get</span><span class="o">-</span><span class="ow">or</span><span class="o">-</span><span class="n">create</span> <span class="n">client</span><span class="o">.</span><span class="n">george</span> <span class="n">mon</span> <span class="s1">&#39;allow r&#39;</span> <span class="n">osd</span> <span class="s1">&#39;allow rw pool=liverpool&#39;</span> <span class="o">-</span><span class="n">o</span> <span class="n">george</span><span class="o">.</span><span class="n">keyring</span>
<span class="n">ceph</span> <span class="n">auth</span> <span class="n">get</span><span class="o">-</span><span class="ow">or</span><span class="o">-</span><span class="n">create</span><span class="o">-</span><span class="n">key</span> <span class="n">client</span><span class="o">.</span><span class="n">ringo</span> <span class="n">mon</span> <span class="s1">&#39;allow r&#39;</span> <span class="n">osd</span> <span class="s1">&#39;allow rw pool=liverpool&#39;</span> <span class="o">-</span><span class="n">o</span> <span class="n">ringo</span><span class="o">.</span><span class="n">key</span>
</pre></div>
</div>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>如果你给用户分配了访问 OSD 的能力，但是<strong>没有</strong>限制他可以访问哪些存储池，那么他可以访问集群内的所有存储池！</p>
</div>
</div>
<div class="section" id="modify-user-capabilities">
<span id="id12"></span><h3>更改用户能力<a class="headerlink" href="#modify-user-capabilities" title="Permalink to this headline">¶</a></h3>
<p><code class="docutils literal notranslate"><span class="pre">ceph</span> <span class="pre">auth</span> <span class="pre">caps</span></code> 命令可以用来修改指定用户的能力。设置新能力时会覆盖当前能力。查看用户当前的能力可以用 <code class="docutils literal notranslate"><span class="pre">ceph</span> <span class="pre">auth</span> <span class="pre">get</span> <span class="pre">USERTYPE.USERID</span></code> ；增加能力时应该加上当前已经有的能力，命令格式如下：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="n">auth</span> <span class="n">caps</span> <span class="n">USERTYPE</span><span class="o">.</span><span class="n">USERID</span> <span class="p">{</span><span class="n">daemon</span><span class="p">}</span> <span class="s1">&#39;allow [r|w|x|*|...] [pool={pool-name}] [namespace={namespace-name}]&#39;</span> <span class="p">[{</span><span class="n">daemon</span><span class="p">}</span> <span class="s1">&#39;allow [r|w|x|*|...] [pool={pool-name}] [namespace={namespace-name}]&#39;</span><span class="p">]</span>
</pre></div>
</div>
<p>例如：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="n">auth</span> <span class="n">get</span> <span class="n">client</span><span class="o">.</span><span class="n">john</span>
<span class="n">ceph</span> <span class="n">auth</span> <span class="n">caps</span> <span class="n">client</span><span class="o">.</span><span class="n">john</span> <span class="n">mon</span> <span class="s1">&#39;allow r&#39;</span> <span class="n">osd</span> <span class="s1">&#39;allow rw pool=liverpool&#39;</span>
<span class="n">ceph</span> <span class="n">auth</span> <span class="n">caps</span> <span class="n">client</span><span class="o">.</span><span class="n">paul</span> <span class="n">mon</span> <span class="s1">&#39;allow rw&#39;</span> <span class="n">osd</span> <span class="s1">&#39;allow rwx pool=liverpool&#39;</span>
<span class="n">ceph</span> <span class="n">auth</span> <span class="n">caps</span> <span class="n">client</span><span class="o">.</span><span class="n">brian</span><span class="o">-</span><span class="n">manager</span> <span class="n">mon</span> <span class="s1">&#39;allow *&#39;</span> <span class="n">osd</span> <span class="s1">&#39;allow *&#39;</span>
</pre></div>
</div>
<p>关于能力的更多信息请参考<a class="reference internal" href="#id4">授权（能力）</a>。</p>
</div>
<div class="section" id="id13">
<h3>删除用户<a class="headerlink" href="#id13" title="Permalink to this headline">¶</a></h3>
<p>要删除一用户，用 <code class="docutils literal notranslate"><span class="pre">ceph</span> <span class="pre">auth</span> <span class="pre">del</span></code> 命令：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="n">auth</span> <span class="k">del</span> <span class="p">{</span><span class="n">TYPE</span><span class="p">}</span><span class="o">.</span><span class="p">{</span><span class="n">ID</span><span class="p">}</span>
</pre></div>
</div>
<p>其中 <code class="docutils literal notranslate"><span class="pre">{TYPE}</span></code> 是 <code class="docutils literal notranslate"><span class="pre">client</span></code> 、 <code class="docutils literal notranslate"><span class="pre">osd</span></code> 、 <code class="docutils literal notranslate"><span class="pre">mon</span></code> 或 <code class="docutils literal notranslate"><span class="pre">mds</span></code>
之一， <code class="docutils literal notranslate"><span class="pre">{ID}</span></code> 是用户名或守护进程的 ID 。</p>
</div>
<div class="section" id="id14">
<h3>查看用户密钥<a class="headerlink" href="#id14" title="Permalink to this headline">¶</a></h3>
<p>To print a user’s authentication key to standard output, execute the following:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="n">auth</span> <span class="nb">print</span><span class="o">-</span><span class="n">key</span> <span class="p">{</span><span class="n">TYPE</span><span class="p">}</span><span class="o">.</span><span class="p">{</span><span class="n">ID</span><span class="p">}</span>
</pre></div>
</div>
<p>Where <code class="docutils literal notranslate"><span class="pre">{TYPE}</span></code> is one of <code class="docutils literal notranslate"><span class="pre">client</span></code>, <code class="docutils literal notranslate"><span class="pre">osd</span></code>, <code class="docutils literal notranslate"><span class="pre">mon</span></code>, or <code class="docutils literal notranslate"><span class="pre">mds</span></code>,
and <code class="docutils literal notranslate"><span class="pre">{ID}</span></code> is the user name or ID of the daemon.</p>
<p>Printing a user’s key is useful when you need to populate client
software with a user’s key  (e.g., libvirt).</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>mount -t ceph serverhost:/ mountpoint -o name=client.user,secret=`ceph auth print-key client.user`
</pre></div>
</div>
</div>
<div class="section" id="id15">
<h3>导入用户<a class="headerlink" href="#id15" title="Permalink to this headline">¶</a></h3>
<p>要导入一个或多个用户，可以用 <code class="docutils literal notranslate"><span class="pre">ceph</span> <span class="pre">auth</span> <span class="pre">import</span></code> 命令，并指定一个密钥环：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="n">auth</span> <span class="kn">import</span> <span class="o">-</span><span class="n">i</span> <span class="o">/</span><span class="n">path</span><span class="o">/</span><span class="n">to</span><span class="o">/</span><span class="n">keyring</span>
</pre></div>
</div>
<p>例如：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sudo</span> <span class="n">ceph</span> <span class="n">auth</span> <span class="kn">import</span> <span class="o">-</span><span class="n">i</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">.</span><span class="n">keyring</span>
</pre></div>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Ceph 存储集群会新增用户、他们的密钥以及其能力，也会更新已有的用户们、他们的密钥和他们的能力。</p>
</div>
</div>
</div>
<div class="section" id="id16">
<h2>密钥环管理<a class="headerlink" href="#id16" title="Permalink to this headline">¶</a></h2>
<p>When you access Ceph via a Ceph client, the Ceph client will look for a local
keyring. Ceph presets the <code class="docutils literal notranslate"><span class="pre">keyring</span></code> setting with the following four keyring
names by default so you don’t have to set them in your Ceph configuration file
unless you want to override the defaults (not recommended):</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">/etc/ceph/$cluster.$name.keyring</span></code></p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">/etc/ceph/$cluster.keyring</span></code></p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">/etc/ceph/keyring</span></code></p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">/etc/ceph/keyring.bin</span></code></p></li>
</ul>
<p>The <code class="docutils literal notranslate"><span class="pre">$cluster</span></code> metavariable is your Ceph cluster name as defined by the
name of the Ceph configuration file (i.e., <code class="docutils literal notranslate"><span class="pre">ceph.conf</span></code> means the cluster name
is <code class="docutils literal notranslate"><span class="pre">ceph</span></code>; thus, <code class="docutils literal notranslate"><span class="pre">ceph.keyring</span></code>). The <code class="docutils literal notranslate"><span class="pre">$name</span></code> metavariable is the user
type and user ID (e.g., <code class="docutils literal notranslate"><span class="pre">client.admin</span></code>; thus, <code class="docutils literal notranslate"><span class="pre">ceph.client.admin.keyring</span></code>).</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>执行的命令要读取或写入 <code class="docutils literal notranslate"><span class="pre">/etc/ceph</span></code> 时，
你可能得用 <code class="docutils literal notranslate"><span class="pre">sudo</span></code> 以 <code class="docutils literal notranslate"><span class="pre">root</span></code> 身份执行命令。</p>
</div>
<p>创建一个用户后（例如 <code class="docutils literal notranslate"><span class="pre">client.ringo</span></code> ），必须拿到那个密钥并加进 Ceph 客户端的密钥环里，这样用户才能访问 Ceph 存储集群。</p>
<p>The <a class="reference internal" href="#id1">用户管理</a> section details how to list, get, add, modify and delete
users directly in the Ceph Storage Cluster. However, Ceph also provides the
<code class="docutils literal notranslate"><span class="pre">ceph-authtool</span></code> utility to allow you to manage keyrings from a Ceph client.</p>
<div class="section" id="id17">
<h3>创建密钥环<a class="headerlink" href="#id17" title="Permalink to this headline">¶</a></h3>
<p>When you use the procedures in the <a class="reference internal" href="#id8">用户的管理</a> section to create users,
you need to provide user keys to the Ceph client(s) so that the Ceph client
can retrieve the key for the specified user and authenticate with the Ceph
Storage Cluster. Ceph Clients access keyrings to lookup a user name and
retrieve the user’s key.</p>
<p>The <code class="docutils literal notranslate"><span class="pre">ceph-authtool</span></code> utility allows you to create a keyring. To create an
empty keyring, use <code class="docutils literal notranslate"><span class="pre">--create-keyring</span></code> or <code class="docutils literal notranslate"><span class="pre">-C</span></code>. 例如:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span><span class="o">-</span><span class="n">authtool</span> <span class="o">--</span><span class="n">create</span><span class="o">-</span><span class="n">keyring</span> <span class="o">/</span><span class="n">path</span><span class="o">/</span><span class="n">to</span><span class="o">/</span><span class="n">keyring</span>
</pre></div>
</div>
<p>When creating a keyring with multiple users, we recommend using the cluster name
(e.g., <code class="docutils literal notranslate"><span class="pre">$cluster.keyring</span></code>) for the keyring filename and saving it in the
<code class="docutils literal notranslate"><span class="pre">/etc/ceph</span></code> directory so that the <code class="docutils literal notranslate"><span class="pre">keyring</span></code> configuration default setting
will pick up the filename without requiring you to specify it in the local copy
of your Ceph configuration file. 例如, create <code class="docutils literal notranslate"><span class="pre">ceph.keyring</span></code> by
executing the following:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sudo</span> <span class="n">ceph</span><span class="o">-</span><span class="n">authtool</span> <span class="o">-</span><span class="n">C</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">.</span><span class="n">keyring</span>
</pre></div>
</div>
<p>When creating a keyring with a single user, we recommend using the cluster name,
the user type and the user name and saving it in the <code class="docutils literal notranslate"><span class="pre">/etc/ceph</span></code> directory.
例如, <code class="docutils literal notranslate"><span class="pre">ceph.client.admin.keyring</span></code> for the <code class="docutils literal notranslate"><span class="pre">client.admin</span></code> user.</p>
<p>To create a keyring in <code class="docutils literal notranslate"><span class="pre">/etc/ceph</span></code>, you must do so as <code class="docutils literal notranslate"><span class="pre">root</span></code>. This means
the file will have <code class="docutils literal notranslate"><span class="pre">rw</span></code> permissions for the <code class="docutils literal notranslate"><span class="pre">root</span></code> user only, which is
appropriate when the keyring contains administrator keys. However, if you
intend to use the keyring for a particular user or group of users, ensure
that you execute <code class="docutils literal notranslate"><span class="pre">chown</span></code> or <code class="docutils literal notranslate"><span class="pre">chmod</span></code> to establish appropriate keyring
ownership and access.</p>
</div>
<div class="section" id="id18">
<h3>把用户加入密钥环<a class="headerlink" href="#id18" title="Permalink to this headline">¶</a></h3>
<p>当你在 Ceph 存储集群中<a class="reference internal" href="#id19">创建用户</a>后，你可以用<a class="reference internal" href="#id10">获取用户</a>里面的方法获取此用户、及其密钥、能力，并存入一个密钥环文件。</p>
<p>When you only want to use one user per keyring, the <a class="reference internal" href="#id10">获取用户</a> procedure with
the <code class="docutils literal notranslate"><span class="pre">-o</span></code> option will save the output in the keyring file format. 例如,
to create a keyring for the <code class="docutils literal notranslate"><span class="pre">client.admin</span></code> user, execute the following:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sudo</span> <span class="n">ceph</span> <span class="n">auth</span> <span class="n">get</span> <span class="n">client</span><span class="o">.</span><span class="n">admin</span> <span class="o">-</span><span class="n">o</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">.</span><span class="n">client</span><span class="o">.</span><span class="n">admin</span><span class="o">.</span><span class="n">keyring</span>
</pre></div>
</div>
<p>Notice that we use the recommended file format for an individual user.</p>
<p>When you want to import users to a keyring, you can use <code class="docutils literal notranslate"><span class="pre">ceph-authtool</span></code>
to specify the destination keyring and the source keyring.
例如:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sudo</span> <span class="n">ceph</span><span class="o">-</span><span class="n">authtool</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">.</span><span class="n">keyring</span> <span class="o">--</span><span class="n">import</span><span class="o">-</span><span class="n">keyring</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">.</span><span class="n">client</span><span class="o">.</span><span class="n">admin</span><span class="o">.</span><span class="n">keyring</span>
</pre></div>
</div>
</div>
<div class="section" id="id19">
<h3>创建用户<a class="headerlink" href="#id19" title="Permalink to this headline">¶</a></h3>
<p>Ceph provides the <a class="reference internal" href="#id19">创建用户</a> function to create a user directly in the Ceph
Storage Cluster. However, you can also create a user, keys and capabilities
directly on a Ceph client keyring. Then, you can import the user to the Ceph
Storage Cluster. 例如:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sudo</span> <span class="n">ceph</span><span class="o">-</span><span class="n">authtool</span> <span class="o">-</span><span class="n">n</span> <span class="n">client</span><span class="o">.</span><span class="n">ringo</span> <span class="o">--</span><span class="n">cap</span> <span class="n">osd</span> <span class="s1">&#39;allow rwx&#39;</span> <span class="o">--</span><span class="n">cap</span> <span class="n">mon</span> <span class="s1">&#39;allow rwx&#39;</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">.</span><span class="n">keyring</span>
</pre></div>
</div>
<p><a class="reference internal" href="#id4">授权（能力）</a> 详细描述了能力。</p>
<p>你还可以一步完成创建密钥环、并把新用户加进密钥环。例如:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sudo</span> <span class="n">ceph</span><span class="o">-</span><span class="n">authtool</span> <span class="o">-</span><span class="n">C</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">.</span><span class="n">keyring</span> <span class="o">-</span><span class="n">n</span> <span class="n">client</span><span class="o">.</span><span class="n">ringo</span> <span class="o">--</span><span class="n">cap</span> <span class="n">osd</span> <span class="s1">&#39;allow rwx&#39;</span> <span class="o">--</span><span class="n">cap</span> <span class="n">mon</span> <span class="s1">&#39;allow rwx&#39;</span> <span class="o">--</span><span class="n">gen</span><span class="o">-</span><span class="n">key</span>
</pre></div>
</div>
<p>In the foregoing scenarios, the new user <code class="docutils literal notranslate"><span class="pre">client.ringo</span></code> is only in the
keyring. To add the new user to the Ceph Storage Cluster, you must still add
the new user to the Ceph Storage Cluster.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sudo</span> <span class="n">ceph</span> <span class="n">auth</span> <span class="n">add</span> <span class="n">client</span><span class="o">.</span><span class="n">ringo</span> <span class="o">-</span><span class="n">i</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">.</span><span class="n">keyring</span>
</pre></div>
</div>
</div>
<div class="section" id="id20">
<h3>修改用户属性<a class="headerlink" href="#id20" title="Permalink to this headline">¶</a></h3>
<p>To modify the capabilities of a user record in a keyring, specify the keyring,
and the user followed by the capabilities. 例如:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sudo</span> <span class="n">ceph</span><span class="o">-</span><span class="n">authtool</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">.</span><span class="n">keyring</span> <span class="o">-</span><span class="n">n</span> <span class="n">client</span><span class="o">.</span><span class="n">ringo</span> <span class="o">--</span><span class="n">cap</span> <span class="n">osd</span> <span class="s1">&#39;allow rwx&#39;</span> <span class="o">--</span><span class="n">cap</span> <span class="n">mon</span> <span class="s1">&#39;allow rwx&#39;</span>
</pre></div>
</div>
<p>To update the user to the Ceph Storage Cluster, you must update the user
in the keyring to the user entry in the the Ceph Storage Cluster.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sudo</span> <span class="n">ceph</span> <span class="n">auth</span> <span class="kn">import</span> <span class="o">-</span><span class="n">i</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">.</span><span class="n">keyring</span>
</pre></div>
</div>
<p><a class="reference internal" href="#id15">导入用户</a> 里面详述了根据密钥环更新一个 Ceph 存储集群用户。</p>
<p>你还可以在集群里直接 <a class="reference internal" href="#id12">更改用户能力</a> ，
把结果存储进密钥环文件；然后，
把这个密钥环导入你的主密钥环 <code class="docutils literal notranslate"><span class="pre">ceph.keyring</span></code> 文件。</p>
</div>
</div>
<div class="section" id="id21">
<h2>命令行用法<a class="headerlink" href="#id21" title="Permalink to this headline">¶</a></h2>
<p>Ceph 支持用户名和密钥的下列用法：</p>
<p><code class="docutils literal notranslate"><span class="pre">--id</span></code> | <code class="docutils literal notranslate"><span class="pre">--user</span></code></p>
<dl class="field-list">
<dt class="field-odd">描述</dt>
<dd class="field-odd"><p>Ceph 用一个类型和 ID（ 如 <code class="docutils literal notranslate"><span class="pre">TYPE.ID</span></code> 或 <code class="docutils literal notranslate"><span class="pre">client.admin</span></code> 、 <code class="docutils literal notranslate"><span class="pre">client.user1</span></code> ）来标识用户， <code class="docutils literal notranslate"><span class="pre">id</span></code> 、 <code class="docutils literal notranslate"><span class="pre">name</span></code> 、和 <code class="docutils literal notranslate"><span class="pre">-n</span></code> 选项可用于指定用户名（如 <code class="docutils literal notranslate"><span class="pre">admin</span></code> 、 <code class="docutils literal notranslate"><span class="pre">user1</span></code> 、 <code class="docutils literal notranslate"><span class="pre">foo</span></code> 等）的 ID 部分，你可以用 <code class="docutils literal notranslate"><span class="pre">--id</span></code> 指定用户并忽略类型，例如可用下列命令指定 <code class="docutils literal notranslate"><span class="pre">client.foo</span></code> 用户：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="o">--</span><span class="nb">id</span> <span class="n">foo</span> <span class="o">--</span><span class="n">keyring</span> <span class="o">/</span><span class="n">path</span><span class="o">/</span><span class="n">to</span><span class="o">/</span><span class="n">keyring</span> <span class="n">health</span>
<span class="n">ceph</span> <span class="o">--</span><span class="n">user</span> <span class="n">foo</span> <span class="o">--</span><span class="n">keyring</span> <span class="o">/</span><span class="n">path</span><span class="o">/</span><span class="n">to</span><span class="o">/</span><span class="n">keyring</span> <span class="n">health</span>
</pre></div>
</div>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">--name</span></code> | <code class="docutils literal notranslate"><span class="pre">-n</span></code></p>
<dl class="field-list">
<dt class="field-odd">描述</dt>
<dd class="field-odd"><p>Ceph 用一个类型和 ID （如 <code class="docutils literal notranslate"><span class="pre">TYPE.ID</span></code> 或 <code class="docutils literal notranslate"><span class="pre">client.admin</span></code> 、 <code class="docutils literal notranslate"><span class="pre">client.user1</span></code> ）来标识用户， <code class="docutils literal notranslate"><span class="pre">--name</span></code> 和 <code class="docutils literal notranslate"><span class="pre">-n</span></code> 选项可用于指定完整的用户名，但必须指定用户类型（一般是 <code class="docutils literal notranslate"><span class="pre">client</span></code> ）和用户 ID ，例如：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="o">--</span><span class="n">name</span> <span class="n">client</span><span class="o">.</span><span class="n">foo</span> <span class="o">--</span><span class="n">keyring</span> <span class="o">/</span><span class="n">path</span><span class="o">/</span><span class="n">to</span><span class="o">/</span><span class="n">keyring</span> <span class="n">health</span>
<span class="n">ceph</span> <span class="o">-</span><span class="n">n</span> <span class="n">client</span><span class="o">.</span><span class="n">foo</span> <span class="o">--</span><span class="n">keyring</span> <span class="o">/</span><span class="n">path</span><span class="o">/</span><span class="n">to</span><span class="o">/</span><span class="n">keyring</span> <span class="n">health</span>
</pre></div>
</div>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">--keyring</span></code></p>
<dl class="field-list">
<dt class="field-odd">描述</dt>
<dd class="field-odd"><p>包含一或多个用户名、密钥的密钥环路径。 <code class="docutils literal notranslate"><span class="pre">--secret</span></code> 选项提供了相同功能，但它不能用于 RADOS 网关，其 <code class="docutils literal notranslate"><span class="pre">--secret</span></code> 另有用途。你可以用 <code class="docutils literal notranslate"><span class="pre">ceph</span> <span class="pre">auth</span> <span class="pre">get-or-create</span></code> 获取密钥环并保存在本地，然后您就可以改用其他用户而无需重指定密钥环路径了。</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sudo</span> <span class="n">rbd</span> <span class="nb">map</span> <span class="o">--</span><span class="nb">id</span> <span class="n">foo</span> <span class="o">--</span><span class="n">keyring</span> <span class="o">/</span><span class="n">path</span><span class="o">/</span><span class="n">to</span><span class="o">/</span><span class="n">keyring</span> <span class="n">mypool</span><span class="o">/</span><span class="n">myimage</span>
</pre></div>
</div>
</dd>
</dl>
</div>
<div class="section" id="id22">
<h2>局限性<a class="headerlink" href="#id22" title="Permalink to this headline">¶</a></h2>
<p><code class="docutils literal notranslate"><span class="pre">cephx</span></code> 协议提供 Ceph 客户端和服务器间的相互认证，并没打算认证人类用户或者应用程序。如果有访问控制需求，那必须用另外一种机制，它对于前端用户访问 Ceph 对象存储可能是特定的，其任务是确保只有此机器上可接受的用户和程序才能访问 Ceph 的对象存储。</p>
<p>用于认证 Ceph 客户端和服务器的密钥通常以纯文本存储在权限合适的文件里，并保存于可信主机上。</p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>密钥存储为纯文本文件有安全缺陷，但很难避免，它给了 Ceph 可用的基本认证方法，设置 Ceph 时应该注意这些缺陷。</p>
</div>
<p>尤其是任意用户、特别是移动机器不应该和 Ceph 直接交互，因为这种用法要求把明文认证密钥存储在不安全的机器上，这些机器的丢失、或盗用将泄露可访问 Ceph 集群的密钥。</p>
<p>相比于允许潜在的欠安全机器直接访问 Ceph 对象存储，应该要求用户先登录安全有保障的可信机器，这台可信机器会给人们存储明文密钥。未来的 Ceph 版本也许会更彻底地解决这些特殊认证问题。</p>
<p>当前，没有任何 Ceph 认证协议保证传送中消息的私密性。所以，即使物理线路窃听者不能创建用户或修改它们，但可以听到、并理解客户端和服务器间发送过的所有数据。此外， Ceph 没有可加密用户数据的选项，当然，用户可以手动加密、然后把它们存在对象库里，但 Ceph 没有自己加密对象的功能。在 Ceph 里存储敏感数据的用户应该考虑存入 Ceph 集群前先加密。</p>
</div>
</div>



           </div>
           
          </div>
          <footer>
    <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
        <a href="../pg-repair/" class="btn btn-neutral float-right" title="修复 PG 不一致状态" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
        <a href="../monitoring-osd-pg/" class="btn btn-neutral float-left" title="监控 OSD 和归置组" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>
        &#169; Copyright 2016, Ceph authors and contributors. Licensed under Creative Commons Attribution Share Alike 3.0 (CC-BY-SA-3.0).

    </p>
  </div> 

</footer>
        </div>
      </div>

    </section>

  </div>
  

  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script>

  
  
    
   

</body>
</html>